My favorites | Sign in
Project Home Downloads Wiki Issues Source
Updated Aug 21, 2014 by

Getting Started

The quickest way to get going with ZAP is to use the Quick Start add-on, which is installed by default.
This allows you to enter a URL which ZAP will first spider and then active scan.
For a more in depth test you should explore your application using your browser or automated regression tests while proxying through ZAP.

At its heart ZAP is an intercepting proxy.
You need to configure your browser to connect to the web application you wish to test through ZAP.
If required you can also configure ZAP to connect through another proxy - this is often necessary in a corporate environment.

If you know how to set up proxies in your web browser then go ahead and give it a go!
If you are unsure then have a look at the Configuring proxies section.

Once you have configured ZAP as your browser's proxy then try to connect to the web application you will be testing.
If you can not connect to it then check your proxy settings again. You will need to check your browser's proxy settings, and also ZAP's proxy settings.
Its also worth checking that the application that you are trying to test is running!

When you have successfully connected to your application via your browser then have a look at ZAP again. You should now see one or more lines in the Sites and History tabs.
If so we're in business. If not then you'll need to check your proxy settings again.

The next thing to do is to start a basic penetration test.

See also

Configuring Proxiesfor details of how to set up ZAP as a proxy in your web browser
Introductionthe introduction to ZAP
Featuresprovided by ZAP
Scanner Rulessupported by default

Comment by, Oct 7, 2010

Just noticed a minor typo in the last sentence of the penultimate paragraph of the getting started section: "In no" == "If not" ?

Comment by project member, Nov 7, 2010

Fixed :) Thanks for pointing this out.


Comment by, Sep 2, 2011

I would like to use ZAP to view HTTP requests sent through a non-browser application. In other words, I have an app that's not a browser, but makes HTTP communication and I would like the traffic to go through ZAP. I set the proxy to the correct port and host, but for some reason the traffic doesn't get to ZAP. Should ZAP work for apps other than browsers?

Comment by, May 12, 2012

I noticed a typo in the first line of getting started: "At its heart ZAP in an intercepting proxy." I conjecture that this should be "At its heart ZAP is an intercepting proxy."

"ZAP in an" == "ZAP is an"

Sign in to add a comment
Powered by Google Project Hosting